⚠️ Overview

Mythic is an open-source, cross-platform post-exploitation framework first publicly released in 2019 by security researcher Caleb Stewart (known as “its-a-feature”) on GitHub. It is categorized as a Command and Control (C2) framework, similar to Cobalt Strike or Empire, designed for red-team engagements but also adopted by advanced persistent threat (APT) actors. According to MITRE ATT&CK (ID S0451), Mythic provides modular agent architecture supporting multiple communication protocols including HTTP, HTTPS, WebSocket, DNS, and SMB.

🔧 Technical Capabilities

Mythic agents, known as “payloads,” can be compiled for Windows, Linux, macOS, and ARM-based devices using a plugin system that supports languages like C#, Go, Python, and Rust. The framework employs a flexible C2 infrastructure where operators can configure callback intervals, jitter, and user-agent strings; default user-agents often mimic Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 variants. Persistence mechanisms include scheduled tasks, registry run keys, and launch daemons, while evasion techniques leverage process injection (e.g., via CreateRemoteThread), AMSI bypasses, and ETW patching (CVE-2022-21882 is known to be used in conjunction with UAC bypasses). Mythic also supports dynamic code loading and encrypted in-memory execution to evade static detection.

📜 History & Notable Incidents

In January 2024, Mandiant reported that the Russian-backed APT group UNC3890 deployed Mythic agents against Israeli shipping and maritime targets, using spear-phishing emails with malicious Excel attachments. In March 2023, Proofpoint documented a campaign distributing Mythic via Google Ads impersonating 7-Zip and Notepad++ to deliver the agent as a signed installer. No CVEs are exclusive to Mythic, but it exploits common vulnerabilities (e.g., CVE-2021-40444) for initial access. Law enforcement actions have not targeted Mythic itself, but several takedown operations have disrupted Mythic-controlled infrastructure used in ransomware campaigns.

🔍 Detection Indicators

Network IOCs include unusual HTTPS traffic to /api/ endpoints with JSON payloads, DNS TXT queries for base64-encoded data, and SMB named pipe connections on ports 445. Known file hashes are dynamic due to Mythic’s payload generation, but behavioral signatures include child processes spawning from wscript.exe or cscript.exe with suspicious script content. Registry keys such as HKCUSoftwareMicrosoftWindowsCurrentVersionRun with base64 values have been observed. The default Mythic User-Agent string is “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36” but can be customized.

☠️ Risk & Impact

Mythic enables full remote control, data exfiltration, and lateral movement, leading to intellectual property theft, ransomware deployment, and credential harvesting. Sectors most affected include government, maritime, technology, and logistics. Financial losses from Mythic-assisted intrusions are not publicly aggregated, but the 2024 UNC3890 campaign is estimated to have compromised over 200 organizations.

🛡️ Mitigation

Deploy endpoint detection and response (EDR) solutions with behavioral detection rules for process injection and AMSI/ETW patching; implement network segmentation to limit SMB and RDP lateral movement. Regularly apply patches for CVE-2022-21882 and CVE-2021-40444, and enforce application whitelisting to block untrusted payloads. Utilize YARA rules from MITRE’s open-source repository that match Mythic agent headers and encryption routines.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.